Technical topics in the cybersecurity space

More Than Meets The Eye… Software Transformation vs Obfuscation

In the field of software security, the term ‘obfuscation’ is often used, particularly when it is desired to protect software in a fully automated, “hands-free” manner. Software obfuscation is the modification of source-code (or sometimes executable binaries) to hide details of the original software in such a manner that it is no longer easy for an attacker to analyze and then modify the flow of execution in pursuit of some potentially nefarious goal (e.g. defeating a DRM license check on a video player). The reason software obfuscation comes up in the context of automated security is that many lighter forms of obfuscation can be applied without much knowledge of the structure and purpose of the software itself. An example in the case of an interpreted language such as Javascript is to merely rename all identifiers to eliminate semantic meaning, e.g. renaming a function called decrypt(..) to foo1234(..). No intervention by a human expert is required to apply such local, light-weight obfuscation, and there are dozens, if not hundreds of techniques of this sort that have been created over the years.

The problem with software obfuscation is that it is simply not that effective: It is applied as a form of “tick-box” security, simply to say that something was done to protect the software from attack. Professional reverse engineers (those who make their living by attempting to analyze and defeat software and hardware security) generally disdain software obfuscation since it is in reality not much of a barrier to the attacks they typically apply, and in most cases, once understood, a given obfuscation technique can be recognized and removed in an automated manner.

At Irdeto we have developed a much more powerful software protection technique called Program Transformation which is significantly more effective than simple software obfuscation while at the same time providing many of the same benefits of being easy to apply in an automated fashion. Understanding the difference between software obfuscation and Program Transformation can be a challenge without getting into a lot of technical detail, but an analogy with anti-piracy technology for movie content illustrates the point nicely.

In the early days of movie distribution via VHS tapes it was desired to prevent pirates from making and selling illicit copies, so techniques were developed which meant that second-generation copies of the original tape would have highly distorted, wavering images. This was a successful anti-piracy technique because the quality of pirated copies was so poor that no one would pay for them ( Figure 1).

Figure 1: Video Scrambling on a Pirated Copy

However, that didn’t mean that the original content of the pirated movie could not be viewed and understood: It might not have been a pleasant experience, but if you were really stuck and needed to watch a pirated copy (say to write a movie review about it, referencing scenes and dialogue from the movie) it could be done. That’s because the protection technique was really just a simple form of obfuscation, and did not wholly remove the semantic content (meaning) of the original.

In fact, simple obfuscation techniques were used for video distribution in multiple media, including the early days of Cable TV and Pay TV. So, extending our analogy further, just like the simple software obfuscation described above, once a hacker discovered the video scrambling technique that was applied, it could be easily dealt with, whether it was video clamping, sync-tip suppression or video inversion, etc. This was because the fundamental video semantic information (like timing, reference clocks, etc.) remained in place even with the obfuscation. So the simpler forms of video scrambling became ineffective to a determined thief that wanted to steal the content or service.

Program Transformation techniques can do a much better job of removing the semantic content of software than simple obfuscation techniques while still permitting the protections to be applied automatically without impacting software functionality. This is achieved by analyzing the complete application code at a global level and applying algorithmic transformations that affect the code and even embedded data in an entangled, non-local fashion. The global span of Program Transformations and the effective entanglement of code and data makes the attacker’s job much more difficult. To use the movie piracy analogy, after application of the software transformations, it would no longer be possible to write that movie review with a pirated copy since all you would see would be a random-seeming snow-storm of pixels, with all semantic information removed. To learn more about Program Transformations and other effective software protection techniques, like entanglement, see the blog entry on software protection.

In a software defined world, intellectual property increasingly defines the value of large corporations and it needs to be protected from upstart competitors who are looking to steal market share by emulating the hard-earned work without a comparable investment. The question of “how much security is enough” depends very much on who you want to protect against and how much IP you have developed. Obfuscation may be enough to protect against the recreational hacker; Program Transformation is required to protect you from determined attackers.

For more detail about why software protection is important in cybersecurity today, please read our Cloakware Report, Edition 1. If you’re interested in more articles about cybersecurity issues and strategies please be sure to Subscribe!